Failed to establish chain problem

I created a keystore through the use of keytool.
I then created a .csr request file through keytool.
I then went to the Thawte site and pasted in the data from the .csr file in order to get a temp. certificate from Thawte.
I then cut the certificate data generated from Thawte and pasted into a notepad file .cer.
I tried to import this .cer file into the keystore I created.
I kept having this error: keytool error: java.lang.Exception: Failed to establish chain from reply
I then obtained Thawte's own public certificate and saved theat in a .cer file, and imported it into IE6 through tool>internet options>content>Certificates>other People and then export it in other format so that I can import the Thawte's own cert. as trusted certificate into my keystore. This import worked. But the initial import continued to have the failed to eastablich chain problem.
Please can someone give me some ideas?
Thanks in advance!

Hej,
I remember having this problem, but I can't remember what I did to fix it

Here's a couple of things you could try.
a) Check jre/lib/security/cacerts... keytool -list -v -keystore cacerts contains thawte's cert. Putting into your local keystore shouldn't be necessary.
b) If using jdk1.4, try installing the unlimited jurisdiction policy files.
L

Lewin,
Thank you very much for your quick reply.
I did checked that Thawte is one of the trusted entried in my cacerts file. But because I kept having the chain problem, I thought its worth a try to put that into my keystore (which didn't help to solve my problem anyway).
I am using 1.4. Will look into the unlimited jurisdiction policy files now.

I have tried the jurisdiction jar files. Still same error.
Please do post more ideas if any come up.
Thanks!

Any more ideas please?
Thanks in advance!

Is the file that you have in pasted into notepad in a format something along the lines of

I'm not sure that keytool understands PEM format (at least it didn't in 1.3), so you may have to convert it into a DER/CER format using something like openssl
L

Thanks for replying.
The public cert. I got was :
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIDRCYnMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa
QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU
VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww
GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAzMDExMzEzNTUxMloXDTAz
MDIwMzEzNTUxMlowbDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0G
A1UEBxMGTG9uZG9uMRIwEAYDVQQKEwlQcm9jQ3liZXIxEjAQBgNVBAsTCVByb2ND
eWJlcjETMBEGA1UEAxMKSGVsZW4gU2h1bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAwEhoUIJZfYgRtWzRjNfAozJd+yvNPoWUYXvPVWUzDC9qGjV+f+iEw7+3
7D0TYTrDVaYbMcnrttJCmANr2Du9QpzNVYRtle5I0Gs5lHwz+Y31815q9WFVO9JE
SdfCrY0afO0CVVBBvCR9A0/pfK3vivtKM/vLAJE064x6HbQ9og0CAwEAAaMlMCMw
EwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQAIwkV2bx4RsnHJR/OTsj/K7eHkPMfMzAaKcE7XMavFvw02JbMRaQuujdU9
27Nu3y5GrfLqLlk9tuSJor3YE/q4VkUOFs/Qq9iEhPIm3NIYrHpckh4hYsqxfeFK
PLrdYpl6sKnpX83wgRvsZZrvx8xrvBHWToV8ZWdCV23sMd/NEQ==
-----END CERTIFICATE-----
I did convert it to other formats through the use of IE6, Tool>Internet Options>Content to import the certificate and export it as other format, then tried importing this converted-format cert. into my keystore. I still have the same error.
I searched the net for days and am still stuck with this same error.

I took the following steps and succeeded in this matter:
1. created a keystore using keytool: "keytool -genkey -alias www.mysite.com -keyalg RSA -keysize 1024 -keystore key.store"
2. created a certificate signing request(.CSR): "keytool -certreq -alias www.mysite.com -file mysite.csr –keystore key.store" and sent it to Thawte.
3. Imported the received (from Thawte) certificate (.CRT): "keytool -import -trustcacerts -alias www.mysite.com -file mysite.crt -keystore key.store"
Some clients can refuse (without notice) connecting using this certificate in case it is not offered by the machine it was issued for - for example if it was issued for "www.mysite.com" but some other machine uses it to initiate a SSL session.

Hi,
I had the same problem and now have solved it by adding an alias name.
keytool -keystore mykeystore -keyalg RSA -import
-trustcacerts -alias myalias file myfile.cer
Hope this will help you!

I had this problem, but I didn't iimport the CA root cert. After I imported the ca root certificate, then the certificate imported fine.

I just had the same probelm recently and turned out it was the format of my SSL cert causing the problem. Once I converted it to the PKCS#7 format, I could import the cert to the identity keystore and able to start WLS8.1+sp2. Hope this helps.h
[ June 18, 2004: Message edited by: Victor Le ]

Like somebody else said, you will get this error if you try to import a key using the same alias is before. Try a different alias name and see if it works. This error message is very cryptic for this problem.

It's a generic errormessage, it cannot complete the chain.
Most likely you don't have the same CA certificate present as you certificate is signed with.

Every time I have had this problem, it is because of a blank line at the end of one of the files being used.

Example:
....
SnxZOoxFXj7HXejOoWs12GmNiLlOfBbWX3bRDjkGrX1hywUfZynhW1NALzLDXfi3
RzFJW8ItZGAw65NR2iEyAg==
-----END CERTIFICATE-----

Make sure that at every stage of your cert process that you do not have a blank line after the -----END CERTIFICATE--- line.

Is this the Bermuda triangle thread ? 6 people have now made their first post here. 5 have never been heard from again. Is this the end for Randy or will he buck the trend ?